ubuntu reports probs w/new sysd DNS service...is this going to hit openSUSE?

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

ubuntu reports probs w/new sysd DNS service...is this going to hit openSUSE?

L A Walsh
Warning! This could be alot of "nonsense" and be a potentially reactive
topic. Please don't escalate things emotionally or no one will ever
understand what the facts are.

That said, I see some trends/repeated behavior+history consistent
with sysd's expansion into other OS functions,
so I see no reason to completely disbelieve some of the statements
I've read or try to summarize below.

Does anyone know what's happening in OpenSUSE related to this?
Will it be generating the same types of instability and problems?

Will opensuse still support other DNS resolvers (bind/named, dnsmasq,
etc) even if they are incompatible with new sysd operation?


/There is a sysxxxd vulnerability
<https://www.ubuntu.com/usn/usn-3341-1/> in the latest ubuntu
distributions due to sysxxxd's new DNS resolver. The inclusion of the
dns resolver was lamented by many on the mailing list
<https://lists.dns-oarc.net/pipermail/dns-operations/2016-June/014964.html>,
not without cause. All are advised to update their distribution./


New features include(**)

-taking over glibc library functions gethostbyname & getaddrinfo in
nsswitch to
redirect dns calls into sysd's version

-changes /etc/resolv.conf creating race conditions with various SW
packages. leading to inconsistent address resolution

- turns DNS requests into XML requests fed over the sysdbus for requests
and answers, duplicating DNS protocol handling code requiring sysd to
keep up with
DNS changes.

- does forwarding-only & relies on DHCP for a full DNS server stripping off
DNS security records in the process so sysd-local changes can't be detected
by local applications.

- scans for its own group of DNS servers on all interfaces and sends out
DNS queries on all ports using "first-received" answers vs. authoritative
answers (including ones w/NXDOMAIN), allowing easy propagation of poisoned
DNS info.

- believed not to handle split DNS schemes needed for VPN setups to work
correctly.


(**-
https://lists.dns-oarc.net/pipermail/dns-operations/2016-June/014964.html)

Apparently sysd's DNS changes haven't gone over well in terms of
interoperability w/existing DNS -- a persistent theme as sysd takes on a
new system function/area.

_I_ have more than a little anxiety over the idea that all alternate DNS
solutions will be thrown out..

comments?











--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ubuntu reports probs w/new sysd DNS service...is this going to hit openSUSE?

Knurpht - Gertjan Lettink
Op woensdag 28 juni 2017 22:49:08 CEST schreef L A Walsh:

> Warning! This could be alot of "nonsense" and be a potentially reactive
> topic. Please don't escalate things emotionally or no one will ever
> understand what the facts are.
>
> That said, I see some trends/repeated behavior+history consistent
> with sysd's expansion into other OS functions,
> so I see no reason to completely disbelieve some of the statements
> I've read or try to summarize below.
>
> Does anyone know what's happening in OpenSUSE related to this?
> Will it be generating the same types of instability and problems?
>
> Will opensuse still support other DNS resolvers (bind/named, dnsmasq,
> etc) even if they are incompatible with new sysd operation?
>
>
> /There is a sysxxxd vulnerability
> <https://www.ubuntu.com/usn/usn-3341-1/> in the latest ubuntu
> distributions due to sysxxxd's new DNS resolver. The inclusion of the
> dns resolver was lamented by many on the mailing list
> <https://lists.dns-oarc.net/pipermail/dns-operations/2016-June/014964.html>,
> not without cause. All are advised to update their distribution./
>
>
> New features include(**)
>
> -taking over glibc library functions gethostbyname & getaddrinfo in
> nsswitch to
> redirect dns calls into sysd's version
>
> -changes /etc/resolv.conf creating race conditions with various SW
> packages. leading to inconsistent address resolution
>
> - turns DNS requests into XML requests fed over the sysdbus for requests
> and answers, duplicating DNS protocol handling code requiring sysd to
> keep up with
> DNS changes.
>
> - does forwarding-only & relies on DHCP for a full DNS server stripping off
> DNS security records in the process so sysd-local changes can't be detected
> by local applications.
>
> - scans for its own group of DNS servers on all interfaces and sends out
> DNS queries on all ports using "first-received" answers vs. authoritative
> answers (including ones w/NXDOMAIN), allowing easy propagation of poisoned
> DNS info.
>
> - believed not to handle split DNS schemes needed for VPN setups to work
> correctly.
>
>
> (**-
> https://lists.dns-oarc.net/pipermail/dns-operations/2016-June/014964.html)
>
> Apparently sysd's DNS changes haven't gone over well in terms of
> interoperability w/existing DNS -- a persistent theme as sysd takes on a
> new system function/area.
>
> _I_ have more than a little anxiety over the idea that all alternate DNS
> solutions will be thrown out..
>
> comments?
Tumbleweed 's already on versionn 233, my bet is that the patch will be
backported to Leap's 228 version.  

--
Gertjan Lettink, a.k.a. Knurpht

openSUSE Board Member
openSUSE Forums Team

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ubuntu reports probs w/new sysd DNS service...is this going to hit openSUSE?

Mikhail Kasimov
Hello!

As I remember, openSUSE uses two network management frameworks -- Wicked
(by default) and NetworkManager (as an alternative).

Systemd network management subsystem is not in use and it is absent in
SUSE's systemd assembly. I'm not aware about Tumbleweed ( with systemd
v233), but Leap (systemd v228) has no native systemd network subsystem
exactly. I suppose, Tumbleweed also doesn't contain systemd network
subsystem, if there are no other plans somewhere for it.

Hence, Leap 42.x is not vulnerable by default.


28.06.2017 23:59, Knurpht - Gertjan Lettink пишет:

> Op woensdag 28 juni 2017 22:49:08 CEST schreef L A Walsh:
>> Warning! This could be alot of "nonsense" and be a potentially reactive
>> topic. Please don't escalate things emotionally or no one will ever
>> understand what the facts are.
>>
>> That said, I see some trends/repeated behavior+history consistent
>> with sysd's expansion into other OS functions,
>> so I see no reason to completely disbelieve some of the statements
>> I've read or try to summarize below.
>>
>> Does anyone know what's happening in OpenSUSE related to this?
>> Will it be generating the same types of instability and problems?
>>
>> Will opensuse still support other DNS resolvers (bind/named, dnsmasq,
>> etc) even if they are incompatible with new sysd operation?
>>
>>
>> /There is a sysxxxd vulnerability
>> <https://www.ubuntu.com/usn/usn-3341-1/> in the latest ubuntu
>> distributions due to sysxxxd's new DNS resolver. The inclusion of the
>> dns resolver was lamented by many on the mailing list
>> <https://lists.dns-oarc.net/pipermail/dns-operations/2016-June/014964.html>,
>> not without cause. All are advised to update their distribution./
>>
>>
>> New features include(**)
>>
>> -taking over glibc library functions gethostbyname & getaddrinfo in
>> nsswitch to
>> redirect dns calls into sysd's version
>>
>> -changes /etc/resolv.conf creating race conditions with various SW
>> packages. leading to inconsistent address resolution
>>
>> - turns DNS requests into XML requests fed over the sysdbus for requests
>> and answers, duplicating DNS protocol handling code requiring sysd to
>> keep up with
>> DNS changes.
>>
>> - does forwarding-only & relies on DHCP for a full DNS server stripping off
>> DNS security records in the process so sysd-local changes can't be detected
>> by local applications.
>>
>> - scans for its own group of DNS servers on all interfaces and sends out
>> DNS queries on all ports using "first-received" answers vs. authoritative
>> answers (including ones w/NXDOMAIN), allowing easy propagation of poisoned
>> DNS info.
>>
>> - believed not to handle split DNS schemes needed for VPN setups to work
>> correctly.
>>
>>
>> (**-
>> https://lists.dns-oarc.net/pipermail/dns-operations/2016-June/014964.html)
>>
>> Apparently sysd's DNS changes haven't gone over well in terms of
>> interoperability w/existing DNS -- a persistent theme as sysd takes on a
>> new system function/area.
>>
>> _I_ have more than a little anxiety over the idea that all alternate DNS
>> solutions will be thrown out..
>>
>> comments?
> Tumbleweed 's already on versionn 233, my bet is that the patch will be
> backported to Leap's 228 version.  
>



--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ubuntu reports probs w/new sysd DNS service...is this going to hit openSUSE?

Andrei Borzenkov
29.06.2017 01:17, Mikhail Kasimov пишет:
>
> Systemd network management subsystem is not in use and it is absent in
> SUSE's systemd assembly.

It is present but service is not enabled by default.

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ubuntu reports probs w/new sysd DNS service...is this going to hit openSUSE?

David C. Rankin
In reply to this post by L A Walsh
On 06/28/2017 03:49 PM, L A Walsh wrote:
> _I_ have more than a little anxiety over the idea that all alternate DNS
> solutions will be thrown out..
>
> comments?
>
>

  The key is you don't have to use it. I have 2 Arch servers, running current
systemd 232-8, but I use bind 9 w/dyndns update from dhcpcd with a normal
/etc/resolv.conf generated by the resolvconf package.

No problems, no issues. (same setup w/systemD for at least last 4 years)

A couple of good pages to look at alternative configs are:

  https://wiki.archlinux.org/index.php/Network_configuration#Network_managers

and

  https://wiki.archlinux.org/index.php/Systemd-networkd

  There will be many more systemD growing pains to come, you just have to have
a strategy to weather the storm. The discussion links shows a lot of debate,
consideration and criticisms, but in the end, somebody has to make the call.
For better or for worse, that's freedesktop.org right now. systemD could be
scrapped tomorrow over the 'next latest and greatest systemE` and foisted upon
us all by the distros. That's well above the openSuSE list pay-grade, but your
question on what will openSuSE do for a default config is right on the money.


--
David C. Rankin, J.D.,P.E.

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ubuntu reports probs w/new sysd DNS service...is this going to hit openSUSE?

Mikhail Kasimov
In reply to this post by Andrei Borzenkov
Weird... My Leap system:

=======

k_mikhail@linux-mk500:~> systemctl status systemd-networkd.service
● systemd-networkd.service
   Loaded: not-found (Reason: No such file or directory)
   Active: inactive (dead)

k_mikhail@linux-mk500:~> systemctl status networkd.service
● networkd.service
   Loaded: not-found (Reason: No such file or directory)
   Active: inactive (dead)

=======


29.06.2017 06:18, Andrei Borzenkov пишет:
> 29.06.2017 01:17, Mikhail Kasimov пишет:
>> Systemd network management subsystem is not in use and it is absent in
>> SUSE's systemd assembly.
> It is present but service is not enabled by default.
>


--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ubuntu reports probs w/new sysd DNS service...is this going to hit openSUSE?

Anton Aylward-2
In reply to this post by David C. Rankin
On 29/06/17 01:54 AM, David C. Rankin wrote:
>   The key is you don't have to use it.

Indeed.

While the initial justification for systemd replacing (much of) SysVInit made
sense, Linda has a point when she says that the developers are on a roll now
trying to consume subsystems that operate perfectly well.

The issue isn't that here is a regular Bind9 and corresponding DHCP but there
are alternatives as well.  This is FOSS.   I've used Bing9.  Somewhere out there
on a backup is the config (though why it couldn't be in /etc/ I don't know), but
right now I run DNSMASQ.  YMMV.

Is DNSMASQ 'non standard'?
Well, that's arguable.  It doesn't use the Bind9 config files and while it can
comnsume /etc/resolv.conf and/etc/hosts in the same way that I expect the
systemd version will via transformation to unit files the way it does /etc/fstab
at present, it has never tried taking over anything else.

The thing about systemd, as David points out, is that it's compartmentalized.

I may _start_ DNSMASQ (asynchronously but with dependencies) using a systemd
unit file just like I start APACHE (my web server of choice among the many
available) using a systemd unit file.

But all that is start-up.  I'm not using systemd itself as a web server.

Could I?  I'd be interested in finding out, perhaps experimenting ...



--
         A: Yes.
     >   Q: Are you sure?
     >>  A: Because it reverses the logical flow of conversation.
     >>> Q: Why is top posting frowned upon?


--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ubuntu reports probs w/new sysd DNS service...is this going to hit openSUSE?

Andrei Borzenkov
In reply to this post by Mikhail Kasimov
29.06.2017 11:16, Mikhail Kasimov пишет:

> Weird... My Leap system:
>
> =======
>
> k_mikhail@linux-mk500:~> systemctl status systemd-networkd.service
> ● systemd-networkd.service
>    Loaded: not-found (Reason: No such file or directory)
>    Active: inactive (dead)
>
> k_mikhail@linux-mk500:~> systemctl status networkd.service
> ● networkd.service
>    Loaded: not-found (Reason: No such file or directory)
>    Active: inactive (dead)
>
> =======
>

indeed, I was on TW when writing it. Sorry.

>
> 29.06.2017 06:18, Andrei Borzenkov пишет:
>> 29.06.2017 01:17, Mikhail Kasimov пишет:
>>> Systemd network management subsystem is not in use and it is absent in
>>> SUSE's systemd assembly.
>> It is present but service is not enabled by default.
>>
>
>


--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]